WordPress Plugin flexi-product-slider-grid Code Audit: SQL Injection/LFI Risks

Critical Vulnerability Information Plugin Name: Version: 1.0.5 File: Last Updated: 9 months ago (Revision 3303451) Potential Vulnerability Points: 1. Unvalidated Shortcode Attributes: - When processing shortcode attributes ( ), the code uses to set default values, but does not adequately validate the attribute values. - For example: , , , , etc. These attributes could be manipulated by malicious users, potentially leading to SQL injection or XSS. - 2. Unvalidated SQL Query Parameters: - When building arguments, the code directly uses values from without sufficient validation or escaping. - 3. Template File Inclusion Risk: - When loading template files, the code uses as part of the filename, which could potentially lead to a Local File Inclusion (LFI) vulnerability. - Recommendations: Strictly validate and escape all user-supplied data. Avoid using user-supplied data in file paths, or strictly validate and restrict such inputs if necessary.

Goal Reached Thanks to every supporter — we hit 100%!

WordPress Plugin flexi-product-slider-grid Code Audit: SQL Injection/LFI Risks